Background

The Australian Taxation Office (ATO) provides online services to tax agents and businesses through its Tax Agent and Business Portals. The Tax Agent and Business Portals provide a gateway for tax agents and businesses to access tax information and complete a range of online transactions in a secure environment 24 hours a day, seven days a week. Through the Portals tax agents and businesses can lodge business activity statements, revise previously lodged business activity statements, submit requests for private binding rulings and communicate with the ATO in a secure environment.

The Commissioner of Taxation launched the Tax Agent Portal on 3 October 2002. This was six weeks after the ATO made the decision to develop the initial Tax Agent Portal prototype. The ATO developed the Tax Agent Portal in response to criticism and feedback from the tax agent community. An Australian National Audit Office (ANAO) audit of the ATO's relationship with tax practitioners, around this time, concluded that the ATO's relationship with the tax agent community had not been well managed.¹ The initial release of the Tax Agent Portal was a key strategy for the ATO to make it easier for tax agents to fulfil their role within the requirements of Australia's New Tax System and improve its relationship with the tax agent community.

The ATO utilised the existing functionality of the Tax Agent Portal to implement a pilot of the Business Portal in June 2003. A limited release of the Business Portal was subsequently undertaken, with the ATO officially launching the Business Portal in March 2004.

Audit objective

The objective of the audit was to review the operation of the ATO's Tax Agent and Business Portals. In conducting the audit the ANAO examined three key areas:

• governance – the governance arrangements supporting ongoing management of the Portals;
• portals development, user satisfaction and realisation of expected benefits – the ATO's processes for involving users in developing the Tax Agent and Business Portals, assessing user satisfaction, and evaluating business benefits arising from uptake of the Portals; and
• information technology (IT) security and user access controls – the ATO's IT security environment and user access controls supporting the operation of the Tax Agent and Business Portals.

Key audit findings

Governance

The ANAO found the ATO has established a governance framework that supports the ongoing management of the Tax Agent and Business Portals. The ATO's strategic and business planning activities supporting operation of the Portals provide clear direction and guidance for their future development. In mid-2006 the ATO commenced a review to better identify risks for its online transaction processes, including the Portals.

The ANAO has identified two areas where the ATO's governance arrangements supporting management of the Portals could be enhanced. These relate to the ATO documenting the roles and responsibilities of the Portals business owners and key internal stakeholders, and improving its performance measurement framework. Clearly articulating roles and responsibilities will assist the ATO to adopt a more coordinated approach to managing the Portals. Developing specific performance measures for the Portals will better inform management decision making, particularly regarding future investment in the Portals.

Portals development, user satisfaction and realisation of expected benefits

The ATO has been responsive to the need to improve information access for tax agents and expended a considerable effort in quickly developing the Tax Agent Portal. Overall, survey results have shown tax agents' satisfaction with and use of the Portal is high and increasing, and tax agents have experienced savings from using the Portal.

Uptake of the Business Portal has been slow, but has improved following the ATO's recent marketing efforts. To better understand its potential market for the Business Portal and the barriers to uptake, as well as inform its marketing and communication campaigns, the ANAO considers the ATO should assess the cost effectiveness of more comprehensively reporting Business Portal usage and uptake, by market and industry segments. The ATO advised that it recently commenced analysing Business Portal usage by market segment and industry type. Further, the ATO's Online services marketing communication strategy 2006-07 outlines initiatives aimed at managing businesses' expectations about online services and equipping them with the skills, confidence and support to move online.

The ATO advised that with the first release of the Tax Agent Portal, there was no expectation of delivering specific business benefits for the ATO. The imperative was to improve the ATO's relationship with tax agents. The ATO utilised the functionality of the Tax Agent Portal to develop the Business Portal. The ATO therefore regards the Business Portal as an add-on and any related subsequent increased use of its online services as a bonus.

The ANAO considers that it is now timely for the ATO to evaluate the administrative efficiencies it has achieved from introducing the Tax Agent and Business Portals. In this regard, the ATO advised that it is developing service delivery targets for each component of the online channel, of which the Portals are a key component.²

IT security and user access controls

The ATO has provided online real-time access to a number of its business systems through the Tax Agent and Business Portals. The ATO in introducing the Tax Agent Portal aimed to achieve a balance between uptake of the Portal and IT security (i.e. secure online access to taxpayer information). Access to business systems data via the Internet exposes the ATO to an increased level of risk. The ANAO considers that although the ATO has introduced a range of IT security and user access controls, these controls need to be strengthened in several areas to better protect the integrity of the ATO's business systems. Set out below is a summary of the ANAO's findings relating to the four key IT security and user access control issues examined as part of the audit.

IT security planning and architecture

The ANAO found in relation to the Portals the ATO requires a more systematic, directed, and comprehensive approach to IT security planning. The ANAO considers that as part of IT security planning for the Portals, the ATO should define the roles and responsibilities of system owners and other key stakeholders. This would support a coordinated approach to future Portals IT security planning.

The ANAO considers the Portals' security architecture provides appropriate security over the data flows and information processed by the applications.

Application security controls

Appropriate internal application security controls for Portals users have been implemented. These internal application security controls restrict user access to functionality within the application.

With regard to external application security controls, the ANAO found that the ATO does not maintain security baselines for all key system security components. The ATO has issued security baseline guidelines for some components, but has not established a formal process for monitoring compliance with the guidelines. The ANAO considers that, without formalised security baselines for all key system security components and ongoing compliance and security enforcement measures, the ATO, through operation of its Portals, may be exposed to a higher level of IT security risk than is considered acceptable.

Although control mechanisms for user access to the Portals have been implemented, the ATO's practices supporting the administrator function are not well developed, particularly relating to user access. The ATO's own reviews have also identified that there were limited mechanisms in place to ensure consistency in the process for the authorisation and revocation of Portals user access, and the monitoring and review of internal user access.

IT security monitoring and reporting

The ATO does not have the capability for the timely production of a clear and meaningful end-to-end view of a user's actions within the Portals. The ability to trace a user's actions is required to enable the reconstruction of events and to provide an adequate audit trail of user transactions. This is particularly important when reviewing transactions performed to detect possible security breaches. The ATO is undertaking a project to establish processes that will enable a complete view of a user's actions within its systems, including the Portals.

The ANAO found that the reporting requirements for security of the Portals are not well defined. Several areas within the ATO and its IT provider monitor and report on security safeguards for the Tax Agent and Business Portals. However, the ATO has not specified the frequency and type of security reports to be produced, nor had it taken steps to ensure the reports were being provided to the appropriate areas. The ANAO considers that the ATO's IT reporting regime restricts the effectiveness of IT security management of the Portals. The ATO is redefining its security reporting requirements.

The ATO's IT security incident management process was well established, however, significant incidents were not reported to the Defence Signals Directorate as required.

IT business continuity management

In addition to its own business continuity requirements, the ATO is becoming increasingly aware of the dependency that external Portals users, and tax agents practices in particular, have on the online services it offers. Unavailability of the Tax Agent and Business Portals for an extended time may have an adverse impact on the business of external users. The ATO, in October 2005, implemented a disaster recovery solution for the Portals. However, this solution resulted in technical problems during peak processing periods. The ATO advised that it is working on implementing a revised disaster recovery solution.

Conclusion

The ATO in developing and implementing the Tax Agent and Business Portals was aiming to make its clients' experience with the taxation system easier, cheaper and more personalised. The ANAO considers that introduction of the Tax Agent and Business Portals has been a significant achievement for the ATO.

The ATO's governance arrangements established for the Portals support their ongoing management. The Tax Agent Portal has been well received by the tax agent community. This has assisted the ATO in improving its relationship with tax agents. The Tax Agent and Business Portals have facilitated easier access to information for both tax agents and businesses. Since the Tax Agent Portal was introduced, around 80 percent of tax agents have accessed it. Surveys undertaken by the ATO indicate a high level of satisfaction with the Tax Agent Portal. The ANAO considers that uptake of the Business Portal has been slow but has improved with more recent efforts by the ATO to encourage greater business use of the Portal. Around 6 percent of businesses have accessed the Business Portal.

The ANAO concluded that the ATO has implemented a range of IT security and user access controls. The ANAO found that the Portals' IT security architecture provides appropriate security over the data flows and information processed and that appropriate control mechanisms have been implemented for user access. The ANAO also found that the ATO's incident management process was well established. However, the ANAO has identified several areas where the ATO needs to strengthen its IT security and user access controls around the Portals. These include: enhancing IT security planning, strengthening application security controls and user access administration, and improving IT security reporting.

Recommendations

The ANAO has made six recommendations. The first recommendation is aimed at strengthening the ATO's processes supporting the ongoing management of the Tax Agent and Business Portals. The remaining five recommendations are focused on improving aspects of the ATO's IT security, in order to preserve the integrity of its online channel.

The ATO agreed to the implementation of the six recommendations.

Summary of agency response

We are pleased that the ANAO report concluded that the ATO has established a governance framework that supports the ongoing management of the Tax Agent and Business Portals. The ATO's strategic and business planning activities support the operations of the portals and provide clear direction for their future development. We are pleased with the increasing level of satisfaction reported by the tax agents and that the portal is providing savings for this important intermediary. We have made some inroads in the uptake of the Business Portal by recent marketing initiative and will continue to focus on this area. The Online Marketing Strategy developed from research of market and industry segments is expected to see an increase in uptake.

The Tax Office welcomes the acknowledgement from the ANAO that in introducing the portals we have aimed to achieve a balance between uptake of the portal an IT security. The Tax Office agrees with the IT Security recommendations aimed to strengthen controls in several areas to better protect the integrity of the ATO's business systems.

Footnotes

1 Audit Report No.19 2002–2003, The Australian Taxation Office's Relationship with Tax Practitioners.

2 The Tax Agent and Business Portals are a key component of the ATO's online channel. The ATO's online channel is made up of several service delivery tools. The online channel is discussed in more detail in Chapter 1 of the Report.